CVE-2024-12209

Name of the Vulnerable Software and Affected Versions: WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress versions up to, and including, 2.17.0

Description: The issue is related to Local File Inclusion, which makes it possible for unauthenticated attackers to include and execute arbitrary files on the server via the filename parameter of the umbrella-restore action. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Approximately 30,000 websites are exposed to compromise.

Recommendations: For WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress versions up to, and including, 2.17.0: Update to version 2.17.1 to mitigate risks. As a temporary workaround, consider restricting access to the umbrella-restore action to minimize the risk of exploitation. Avoid using the filename parameter in the affected action until the issue is resolved.